feat(envs): Refactor envs variables

.github/workflows/build.yml

@@ -1,7 +1,7 @@
 name: Release and sign module
 on:
     push:
-        tag: ['*'] # semver format
+        tags: ['*'] # semver format
 
 permissions:
     contents: read # needed for checkout
@@ -35,5 +35,5 @@ jobs:
                     --sign=cosign \
                     --latest  \
                     -a 'org.opencontainers.image.licenses=Apache-2.0' \
-                    -a 'org.opencontainers.image.source=https://github.com/yyvess/keycloak-timoni' \
-                    -a 'org.opencontainers.image.description=A Keycloakh module.' \
+                    -a 'org.opencontainers.image.source=https://github.com/${{ github.repository }}' \
+                    -a 'org.opencontainers.image.description=A Keycloak module.' \

templates/config.cue

@@ -105,6 +105,8 @@ import (
 	// App settings.
 	command: [...string] | *["/opt/keycloak/bin/kc.sh", "start"]
 
+	extraEnvs: [...corev1.#EnvVar] | *[]
+
 	ha: replicas > 1
 
 	serviceAccountCreate: *false | bool
@@ -142,57 +144,33 @@ import (
 
 	ingress?: netv1.#IngressSpec
 
+	admin: {
+		user: *{value: *"admin" | string} | {valueFrom?: corev1.#EnvVarSource}
+		password!: *{value?: string} | {valueFrom?: corev1.#EnvVarSource}
+	}
 
-	fileDb: false | *(envs.KC_DB == "dev-file" | envs.KC_DB == _|_)
-
-	jgroups: {
-		name: *"jgroups" | string
-		port: *7800 | int & >0 & <=65535
+	java: {
+		options?: string
 	}
 
-	envs: {
+	database: {
 		if !ha {
-			KC_DB?:            "dev-mem" | "dev-file" | "postgres" | "mariadb" | "mssql" | "mysql" | "oracle"
-			KC_CACHE:          "local"
-			JAVA_OPTS_APPEND?: string
+			type?: *{value: *"dev-file" | "dev-mem" | "postgres" | "mariadb" | "mssql" | "mysql" | "oracle"} | {valueFrom?: corev1.#EnvVarSource}
 		}
 		if ha {
-			KC_DB!:               "postgres" | "mariadb" | "mssql" | "mysql" | "oracle"
-			KC_CACHE:             "ispn"
-			KC_CACHE_CONFIG_FILE: "cache-ispn.xml"
-			JAVA_OPTS_APPEND:     *"-Djgroups.dns.query=\( metadata.name )-\( jgroups.name )" | string
-		}
-		KC_HEALTH_ENABLED:               true
-		KC_HTTP_ENABLED:                 *true | false
-		KC_HTTP_PORT?:                   int & >0 & <=65535
-		KC_HTTPS_PORT?:                  int & >0 & <=65535
-		KC_HOSTNAME_PORT?:               int & >0 & <=65535
-		KC_HOSTNAME?:                    string
-		KC_HOSTNAME_ADMIN?:              string
-		KC_HOSTNAME_URL?:                string
-		KC_HOSTNAME_ADMIN_URL?:          string
-		KC_HOSTNAME_PATH?:               string
-		KC_HOSTNAME_STRICT?:             true | false
-		KC_HOSTNAME_STRICT_HTTPS?:       true | false
-		KC_HOSTNAME_STRICT_BACKCHANNEL?: true | false
-		KC_PROXY?:                       "none" | "edge" | "reencrypt" | "passthrough"
-		KC_METRICS_ENABLED?:             true | false
-		KEYCLOAK_ADMIN:                  *"admin" | string | #secretReference
-		KEYCLOAK_ADMIN_PASSWORD:         string | #secretReference
-		KC_DB_URL?:                      string | #secretReference
-		KC_DB_USERNAME?:                 string | #secretReference
-		KC_DB_PASSWORD?:                 string | #secretReference
-		KC_CACHE_STACK:                  *"kubernetes" | "tcp" | "udp" | "ec2" | "azure" | "google"
-		KC_LOG_LEVEL?:                   string
-		KC_LOG_CONSOLE_OUTPUT?:          string
-		KC_LOG_CONSOLE_FORMAT?:          string
-		if certificateCreate {
-			KC_HTTPS_CERTIFICATE_FILE:     *"/certs/tls.crt" | string
-			KC_HTTPS_CERTIFICATE_KEY_FILE: *"/certs/tls.key" | string
+			type: *{value: "postgres" | "mariadb" | "mssql" | "mysql" | "oracle"} | {valueFrom?: corev1.#EnvVarSource}
 		}
-		if !certificateCreate {
-			KC_HTTPS_CERTIFICATE_FILE?:     string
-			KC_HTTPS_CERTIFICATE_KEY_FILE?: string
+		url?: *{value?: string} | corev1.#EnvVarSource
+		username?: *{value?: string} | {valueFrom?: corev1.#EnvVarSource}
+		password?: *{value?: string} | {valueFrom?: corev1.#EnvVarSource}
+	}
+
+	cache: {
+		stack: *"kubernetes" | "tcp" | "udp" | "ec2" | "azure" | "google"
+		jgroups: {
+			name: *"jgroups" | string
+			port: *7800 | int & >0 & <=65535
 		}
 	}
+
 }

templates/deployment.cue

@@ -6,13 +6,15 @@ import (
 )
 
 #Deployment: appsv1.#Deployment & {
-	#config:         #Config
+	#config: #Config
+	#envs: [...corev1.#EnvVar]
 	#cmName:         string
 	#certSecretName: string
 	#jksSecretName:  string
 	apiVersion:      "apps/v1"
 	kind:            "Deployment"
 	metadata:        #config.metadata
+
 	spec: appsv1.#DeploymentSpec & {
 		replicas: #config.replicas
 		selector: matchLabels: #config.selector.labels
@@ -30,24 +32,18 @@ import (
 				if !#config.serviceAccountCreate {
 					serviceAccountName: *#config.serviceAccount.metadata.name | "default"
 				}
-
 				containers: [
 					{
 						name:            #config.metadata.name
 						command:         #config.command
 						image:           #config.image.reference
 						imagePullPolicy: #config.image.pullPolicy
-						env: [for k, v in #config.envs if v != _|_ && v.name == _|_ {
-							name:  "\( k )"
-							value: "\( v )"
-						},
-							for k, v in #config.envs if v != _|_ && v.name != _|_ {
-								name: "\( k )"
-								valueFrom:
-									secretKeyRef: {
-										name: "\( v.name )"
-										key:  "\( v.key )"
-									}}]
+						env: [
+							{name: "KC_HEALTH_ENABLED", value: "true"},
+							{name: "KC_HTTP_ENABLED", value:   "true"},
+							for x in #envs {x},
+							for x in #config.extraEnvs {x},
+						]
 						ports: [
 							{
 								name:          "http"

templates/instance.cue

@@ -62,6 +62,54 @@ package templates
 			if objects.jks.spec.secretName != _|_ {
 				#jksSecretName: objects.jks.spec.secretName
 			}
+
+			#javaOpts?: string
+			if config.ha && config.java.options == _|_ {
+				#javaOpts: "-Djgroups.dns.query=\( config.metadata.name )-\( config.cache.jgroups.name )"
+			}
+			if config.ha && config.java.options != _|_ {
+				#javaOpts: "\( config.java.options ) -Djgroups.dns.query=\( config.metadata.name )-\( config.cache.jgroups.name )"
+			}
+			if !config.ha && config.java.options != _|_ {
+				#javaOpts: config.java.options
+			}
+			#envs: [
+				if config.database.type != _|_ {
+					{name: "KC_DB"} & config.database.type
+				},
+				if !config.ha {
+					{name: "KC_CACHE", value: "local"}
+				},
+				if config.ha == true {
+					{name: "KC_CACHE", value: "ispn"}
+				},
+				if config.ha == true {
+					{name: "KC_CACHE_STACK", value: config.cache.stack}
+				},
+				if config.ha == true {
+					{name: "KC_CACHE_CONFIG_FILE", value: "cache-ispn.xml"}
+				},
+				if #javaOpts != _|_ {
+					{name: "JAVA_OPTS_APPEND", value: #javaOpts}
+				},
+				if config.certificateCreate {
+					{name: "KC_HTTPS_CERTIFICATE_FILE", value: "/certs/tls.crt"}
+				},
+				if config.certificateCreate {
+					{name: "KC_HTTPS_CERTIFICATE_KEY_FILE", value: "/certs/tls.key"}
+				},
+				{name: "KEYCLOAK_ADMIN"} & config.admin.user,
+				{name: "KEYCLOAK_ADMIN_PASSWORD"} & config.admin.password,
+				if config.database.url != _|_ {
+					{name: "KC_DB_URL"} & config.database.url
+				},
+				if (config.database.username != _|_) {
+					{name: "KC_DB_USERNAME"} & {config.database.username}
+				},
+				if (config.database.password != _|_) {
+					{name: "KC_DB_PASSWORD"} & {config.database.password}
+				},
+			]
 		}
 	}
 }

templates/namespace.cue

@@ -5,11 +5,11 @@ import (
 )
 
 #Namespace: corev1.#Namespace & {
-	#config: #Config
+	#config:    #Config
 	apiVersion: "v1"
 	kind:       "Namespace"
 	metadata: {
-		name:   #config.metadata.namespace
+		name: #config.metadata.namespace
 		if #config.virtualService != _|_ {
 			labels: "istio-injection": "enabled"
 		}

templates/networking.cue

@@ -43,7 +43,7 @@ import (
 					]
 					ports: [{
 						protocol: "TCP"
-						port:     #config.jgroups.port
+						port:     #config.cache.jgroups.port
 					},
 					]}
 			},

templates/services.cue

@@ -57,7 +57,7 @@ import (
 		ports: [
 			{
 				name:       "jgroups"
-				port:       #config.jgroups.port
+				port:       #config.cache.jgroups.port
 				protocol:   "TCP"
 				targetPort: "jgroups"
 			},

test/certificate-values.cue

@@ -36,10 +36,22 @@ values: {
 		}
 	}
 
-	envs: {
-		KEYCLOAK_ADMIN_PASSWORD:  "admin"
-		KC_DB:                    "postgres"
-		KC_DB_USERNAME:           "admin"
-		KC_DB_PASSWORD:           "admin"
+	admin: {
+		password: {value: "admin"}
 	}
+
+	database: {
+		type: {value: "postgres"}
+		url: {value: "jdbc:postgresql://localhost/keycloak"}
+		username: {value: "keycloak"}
+		password: {
+			valueFrom: {
+				secretKeyRef: {
+					name: "my-secret"
+					key:  "my-key"
+				}
+			}
+		}
+	}
+
 }

test/certificate.yaml

@@ -242,32 +242,37 @@ spec:
         - /opt/keycloak/bin/kc.sh
         - start
         env:
+        - name: KC_HEALTH_ENABLED
+          value: "true"
+        - name: KC_HTTP_ENABLED
+          value: "true"
         - name: KC_DB
           value: postgres
         - name: KC_CACHE
           value: ispn
-        - name: JAVA_OPTS_APPEND
-          value: -Djgroups.dns.query=keycloak-jgroups
+        - name: KC_CACHE_STACK
+          value: kubernetes
         - name: KC_CACHE_CONFIG_FILE
           value: cache-ispn.xml
-        - name: KC_HEALTH_ENABLED
-          value: "true"
-        - name: KC_HTTP_ENABLED
-          value: "true"
+        - name: JAVA_OPTS_APPEND
+          value: -Djgroups.dns.query=keycloak-jgroups
+        - name: KC_HTTPS_CERTIFICATE_FILE
+          value: /certs/tls.crt
+        - name: KC_HTTPS_CERTIFICATE_KEY_FILE
+          value: /certs/tls.key
         - name: KEYCLOAK_ADMIN
           value: admin
         - name: KEYCLOAK_ADMIN_PASSWORD
           value: admin
+        - name: KC_DB_URL
+          value: jdbc:postgresql://localhost/keycloak
         - name: KC_DB_USERNAME
-          value: admin
+          value: keycloak
         - name: KC_DB_PASSWORD
-          value: admin
-        - name: KC_CACHE_STACK
-          value: kubernetes
-        - name: KC_HTTPS_CERTIFICATE_FILE
-          value: /certs/tls.crt
-        - name: KC_HTTPS_CERTIFICATE_KEY_FILE
-          value: /certs/tls.key
+          valueFrom:
+            secretKeyRef:
+              key: my-key
+              name: my-secret
         image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a
         imagePullPolicy: IfNotPresent
         livenessProbe:

test/external-secrets-values.cue

@@ -22,14 +22,7 @@ values: {
 		metadata: name: "existing-sa"
 	}
 
-	envs: {
-		KEYCLOAK_ADMIN: {
-			name: "existing-secret"
-			key:  "keycloak-admin-user"
-		}
-		KEYCLOAK_ADMIN_PASSWORD: {
-			name: "existing-secret"
-			key:  "keycloak-admin-password"
-		}
+	admin: {
+		password: {value: "admin"}
 	}
 }

test/external-secrets.yaml

@@ -103,28 +103,20 @@ spec:
         - /opt/keycloak/bin/kc.sh
         - start
         env:
-        - name: KC_CACHE
-          value: local
         - name: KC_HEALTH_ENABLED
           value: "true"
         - name: KC_HTTP_ENABLED
           value: "true"
-        - name: KC_CACHE_STACK
-          value: kubernetes
+        - name: KC_CACHE
+          value: local
         - name: KC_HTTPS_CERTIFICATE_FILE
           value: /certs/tls.crt
         - name: KC_HTTPS_CERTIFICATE_KEY_FILE
           value: /certs/tls.key
         - name: KEYCLOAK_ADMIN
-          valueFrom:
-            secretKeyRef:
-              key: keycloak-admin-user
-              name: existing-secret
+          value: admin
         - name: KEYCLOAK_ADMIN_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              key: keycloak-admin-password
-              name: existing-secret
+          value: admin
         image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a
         imagePullPolicy: IfNotPresent
         livenessProbe: